Project

General

Profile

Revision 1250b949

ID1250b949eaeec10f5ed3432cfcb6148b5b69b433
Parent 4c7fdab6
Child 3835ed3e

Added by Andreas Kohlbecker over 1 year ago

fix #7323 adding missing uuid match check in furtherVotingDescissions()

View differences:

cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/CdmPermissionVoter.java
20 20
import eu.etaxonomy.cdm.model.common.CdmBase;
21 21
import eu.etaxonomy.cdm.persistence.hibernate.permission.CRUD;
22 22
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmAuthority;
23
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionClass;
24 23
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmAuthorityParsingException;
24
import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionClass;
25 25

  
26 26
/**
27 27
 * The <code>CdmPermissionVoter</code> provides access control votes for {@link CdmBase} objects.
......
120 120
                vr.isClassMatch = isALL || auth.getPermissionClass().equals(evalPermission.getPermissionClass());
121 121
                vr.isPermissionMatch = auth.getOperation().containsAll(evalPermission.getOperation());
122 122
                vr.isUuidMatch = auth.hasTargetUuid() && auth.getTargetUUID().equals(cdmBase.getUuid());
123
                vr.isIgnoreUuidMatch = !auth.hasTargetUuid();
123 124

  
124 125
                // first of all, always allow deleting orphan entities
125 126
                if(vr.isClassMatch && evalPermission.getOperation().equals(DELETE) && isOrpahn(cdmBase)) {
......
127 128
                }
128 129

  
129 130
                if(!auth.hasProperty()){
130
                    if ( !auth.hasTargetUuid() && vr.isClassMatch && vr.isPermissionMatch){
131
                    if ( vr.isIgnoreUuidMatch && vr.isClassMatch && vr.isPermissionMatch){
131 132
                        logger.debug("no targetUuid, class & permission match => ACCESS_GRANTED");
132 133
                        return ACCESS_GRANTED;
133 134
                    }
......
215 216
     * to {@link CdmPermissionVoter#furtherVotingDescisions(CdmAuthority, Object, Collection, ValidationResult)}
216 217
     *
217 218
     * @author andreas kohlbecker
218
     * @date Sep 5, 2012
219
     * @since Sep 5, 2012
219 220
     *
220 221
     */
221 222
    protected class ValidationResult {
223

  
224
        /**
225
         * ignore the result of the uuid match test completely
226
         * this flag becomes true when the authority given to
227
         * an authentication has no uuid part
228
         */
229
        public boolean isIgnoreUuidMatch;
222 230
        boolean isPermissionMatch = false;
223 231
        boolean isPropertyMatch = false;
224 232
        boolean isUuidMatch = false;
cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/voter/RegistrationVoter.java
44 44
     * {@inheritDoc}
45 45
     */
46 46
    @Override
47
    protected Integer furtherVotingDescisions(CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult validationResult) {
47
    protected Integer furtherVotingDescisions(CdmAuthority cdmAuthority, Object object, Collection<ConfigAttribute> attributes, ValidationResult vr) {
48 48

  
49 49
        // we only need to implement the case where a property is contained in the authority
50 50
        // the other case is covered by the CdmPermissionVoter
51 51
        if(cdmAuthority.hasProperty() && object instanceof Registration){
52 52

  
53 53
            RegistrationStatus status = ((Registration)object).getStatus();
54
            if(cdmAuthority.getProperty().contains(status.name())){
55
                return ACCESS_GRANTED;
54
            vr.isPropertyMatch = cdmAuthority.getProperty().contains(status.name());
55
            logger.debug("property is matching");
56

  
57
            if(vr.isPropertyMatch){
58
                if(vr.isIgnoreUuidMatch){
59
                    logger.debug("ignoring the uuid match result");
60
                    return ACCESS_GRANTED;
61
                }
62
                if(vr.isUuidMatch){
63
                    return ACCESS_GRANTED;
64
                } else {
65
                    return ACCESS_DENIED;
66
                }
56 67
            } else {
57 68
                return ACCESS_DENIED;
58 69
            }
cdmlib-persistence/src/test/java/eu/etaxonomy/cdm/persistence/hibenate/permission/RegistrationVoterTest.java
39 39
    Registration regREJECTED;
40 40

  
41 41
    String prep_ready = EnumSet.of(RegistrationStatus.PREPARATION,RegistrationStatus.READY).toString().replaceAll("[\\s\\]\\[]", "");
42
    String prep = EnumSet.of(RegistrationStatus.PREPARATION,RegistrationStatus.READY).toString().replaceAll("[\\s\\]\\[]", "");
42 43

  
43 44
    Authentication auth;
44 45

  
......
90 91
        assertEquals(AccessDecisionVoter.ACCESS_DENIED, vote);
91 92
    }
92 93

  
94
    /**
95
     * see https://dev.e-taxonomy.eu/redmine/issues/7323
96
     */
97
    @Test
98
    public void issue7323() {
99

  
100
        Registration regGranted = Registration.NewInstance();
101
        regGranted.setStatus(RegistrationStatus.PREPARATION);
102

  
103
        Registration regRequired = Registration.NewInstance();
104
        regRequired.setStatus(RegistrationStatus.PREPARATION);
105

  
106

  
107
        Authentication auth = authentication(
108
                new CdmAuthority(regGranted, prep, EnumSet.of(CRUD.UPDATE))
109
                );
110
        int vote = voter.vote(auth,
111
                regRequired,
112
                // the attributes to test for
113
                Arrays.asList(new CdmAuthority(CdmPermissionClass.REGISTRATION, null, EnumSet.of(CRUD.UPDATE), regRequired.getUuid())));
114
        assertEquals(AccessDecisionVoter.ACCESS_DENIED, vote);
115

  
116
        vote = voter.vote(auth,
117
                regGranted,
118
                // the attributes to test for
119
                Arrays.asList(new CdmAuthority(CdmPermissionClass.REGISTRATION, null, EnumSet.of(CRUD.UPDATE), regGranted.getUuid())));
120
        assertEquals(AccessDecisionVoter.ACCESS_GRANTED, vote);
121
    }
122

  
93 123
}

Also available in: Unified diff

Add picture from clipboard (Maximum size: 40 MB)